Re: YA cookie draft, v2.21 from Koen Holtman on 1996-04-23 (ietf-http-wg@w3.org from April to June 1996)

From: Koen Holtman <koen@win.tue.nl>
Date: Tue, 23 Apr 1996 21:21:26 +0200 (MET DST)
To: Dave Kristol <dmk@allegra.att.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <199604231921.VAA02864@wsooti06.win.tue.nl>

Dave Kristol:
>
>The latest draft of the cookie spec. is at
>	http://www.research.att.com/~dmk/cookie.html

Only two comments:


#4.3.5  Sending Cookies in Unverifiable Transactions  Users must have      |
#control over sessions in order to insure privacy.
                                   ^^^^^^

Shouldn't this be `assure'?


#8.2  Cookie Spoofing
#
[...]
#Note that a server at cracker.edu could send a cookie to the client and   |
#subsequently get both of the cookies in the preceding example as well as  |
#its own.

I was confused by this, and after re-reading it twice, I think this is
wrong.  I believe this should be:

 Note that a server called cracker.edu could send a cookie to the
 client without an explicit domain, and subsequently get the second
 cookie in the preceding example as well as its own.


Koen.

Received on Tuesday, 23 April 1996 12:24:57 UTC